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™ Do not attempt to implement any of the settings in this guide without first 
testing in a non-operational environment. 


= =This document is only a guide containing recommended security settings. It is not 
meant to replace well-structured policy or sound judgment. Furthermore this guide 
does not address site-specific configuration issues. Care must be taken when 
implementing this guide to address local operational and policy concerns. 





=™ The security changes described in this document only apply to Microsoft Windows 
2000 systems and should not be applied to any other Windows 2000 versions or 
operating systems. 


= This document may contain recommended settings for the system Registry. 
Windows 2000 Certificate Services can be severely impaired or disabled with 
incorrect changes or accidental deletions when using a_ Registry editor 
(Regedt32.exe or Regedit.exe) to change the system configuration. 


™ Currently, there is no undo command for deletions within the Registry. Registry 
editor prompts the user to confirm the deletions if Confirm on Delete is selected from 
the options menu. When akey is deleted, the message does not include the name of 
the key being deleting. Therefore, check selection carefully before proceeding. 


= SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR _ IMPLIED 
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
EXPRESSLY DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE 
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGE. 


= =This document is current as of April 30, 2001. See Microsoft's web page for the 


latest changes or modifications to the Windows 2000 operating system or Certificate 
Services. 
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Some parts of this document were drawn from Microsoft copyright materials with their 
permission. 
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Microsoft, MS-DOS, Windows, Windows 2000, Windows NT, Windows 98, Windows 95, 
Windows for Workgroups, and Windows 3.1 are either registered trademarks or 
trademarks of Microsoft Corporation in the U.S.A. and other countries. 


All other names are registered trademarks or trademarks of their respective companies. 
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Introduction 


This document is one of two documents that describe how to securely install, configure, 
and administer the Windows 2000 Certificate Services. The focus of these documents is 
security-relevant information pertaining to the installation and administration of the 
services. Although Microsoft's Internet Information Service (IIS) is required to enable 
users to request certificates through web pages, this document does not provide 
instructions for securely installing and managing IIS. That information, along with detailed 
information on using certificates with Internet Information Service, can be found in the 
document entitled Secure Installation and Configuration of Microsoft's Internet 
Information Service 5.0. 





This document is intended for the reader who is already familiar with public key 
cryptography but needs to understand how to install, configure, and administer 
Microsoft's Certificate Services in a more secure manner. The information presented 
here is written in a direct and concise manner in deference to this intended audience. A 
brief description of public key cryptography is given as background information. 


Some Certificate Services’ security issues and corresponding configuration and 
administrative actions are very specific to the way the product is being used. For this 
reason, it is difficult in some areas to recommend specific, concrete actions. Instead, a 
summary is offered which describes the concerns and recommends solutions that the 
administrator must tailor to his/her own environment. 


It is also important to realize that many organizations have developed policies regarding 
the structure and administration of Certificate Services. Given the wide audience 
intended for this document, those specific policies could not be considered. It is up to the 
reader to apply these recommendations in light of their site’s local security policies. 


Summary of Certificate Server Documentation 


|____Document__—|_————s Contents| Targetaudience 
Guide to the Secure A detailed look at the e Knowledgeable 
Configuration and secure installation and Windows 2000 
Administration of configuration of Certificate administrators who may 
Microsoft's Windows Services in Windows 2000 be new to Microsoft's 
2000 Certificate and a description of how Certificate Services 


Services (This these services can be used 
document) in the Windows 2000 

environment. 
Secure Configuration A secure installation and Windows 2000 
and Administration of configuration guide in administrators who are 
Microsoft Windows checklist format with no familiar with Microsoft's 
2000 Certificate detailed explanations Certificate Services 
Services (Checklist 
Format) 





Table 1 Summary of Certificate Server Documentation 
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PLEASE NOTE THAT THESE DOCUMENTS ASSUME THAT THE READER IS A 
KNOWLEDGEABLE WINDOWS 2000 ADMINISTRATOR. A knowledgeable Windows 
2000 administrator is defined as someone who qn create and manage accounts and 
groups, understands how Windows 2000 performs access control, understands how to 
set account policies and user rights, is familiar with how to setup auditing and read audit 
logs, etc. These documents do not provide step-by-step instructions on how to perform 
these basic Windows 2000 administrative functions. It is assumed that the reader is 
capable of implementing basic instructions regarding Windows 2000 administration 
without the need for detailed instructions. 


the Microsoft Windows 2000 operating system that are not 
specifically related to the Microsoft Windows 2000 Certificate 


& WARNING: This guide does not address security issues for 
Service and its implementation. 


This document is intended for Windows 2000 network administrators, but should be read 
by anyone involved or interested in Windows 2000 or network security. 
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The following list contains suggestions to successfully and securely configure and 
administer Windows 2000 Certificate Services according to this guide: 


and every setting in this book should be tested on a non- 


é WARNING: This list does not address site-specific issues 
operational network. 


Q Read the guide in its entirety. Omitting or deleting steps can potentially lead to 
an unstable system and/or network that will require reconfiguration and 
reinstallation of software. 


Q Perform pre-configuration recommendations: 


o Perform a complete backup of your system before implementing any of 
the recommendations in this guide 


Q Follow the security settings that are appropriate for your environment. 


Commonly Used Names 


ye) 


Throughout this guide the network name “xtest.gov” will be used in the examples, 
screenshots, and listings. 


with the appropriate network name for the networks being 
secured. These names are not real networks and have been 


6 WARNING: It is extremely important to replace “ xtest.gov 
used for demonstration purposes only. 
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Microsoft Windows 2000 Certificate Services 





This document consists of the following chapters: 
Chapter 1, “Windows 2000 Certificate Services,” 
Chapter 2, “Managing Certificates with the MMC,” 





Chapter 3, “Additional Security Issues,” 
Chapter 4, “Backups,” 
Appendix A, “Further Information,” contains a list of resources referenced in this guide 


An Important Note About Operating System Security 


It is very important to keep track of permissions on Certificate Services directories. The 
default settings should be changed to reflect the following. Think carefully before granting 
others access to these directories. The more access given, the more likely it is that there 
could be a compromise. 


%Systemroot%\system32\Certsrv Administrators Full Control 


Authenticated Users Read&Execute, List Folder 
Contents, Read 


System Full Control 


*%Systemroot%\system32\CertLog | Administrators, Security group (could | Full Control 
be Enterprise Admins), System 

Specified Shared Folder location Administrators, System, Enterprise Full Control 
Admins 


Table 2 Permissions on Certificate Directories 





File permissions, registry settings, password usage, user rights, and other issues 
associated with Windows 2000 security have a direct impact on Certificate Services 
security. 


The recommended source of information for how to securely configure the Windows 2000 
server and workstation is NSA’s Windows 2000 security guide. This guide is comprised of 
a series of documents covering various aspects of Windows 2000 security, which is 
available on the same media as this document, or can be obtained by calling 
1-800-688-6115. It is important to implement this guide on the Certificate Services server. 
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Windows 2000 Certificate Services 


Microsoft Windows 2000 Certificate Services offers an integrated public key infrastructure 
(PKI) that enables the secure exchange of information across the Internet, extranets, and 
intranets. PKI refers to a system of digital certificates and certificate authorities (CAs) that 
verify and authenticate the validity of each party involved in an electronic transaction. 
These services, when implemented, help eliminate the threats to computer systems by 
providing three types of security services: authentication, non-repudiation, and integrity. 
Windows 2000 Certificate Services has the ability to take advantage of the following 
resources (depending on the CA policy) to assist in implementing these security services. 
A detailed description of how these resources relate to Certificate Services is provided 
later in this document. 
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= §The use of snap-ins — Enroll users for certificates from the CA using either the 
Certificate Services Web pages or the Certificates snap-in. Manage Certificate 
Services through the Certification Authority snap-in. 


= The use of templates — Use certificate templates to help simplify the process of 
requesting a certificate. Templates are also used to control the kind of certificates a 
user can obtain from an enterprise CA. 


= =6The use of Active Directory - Take advantage of Microsoft Active Directory for 
publishing trusted root certificates, issued certificates, and certificate revocation lists 
(CRLs). 


= =6The use of smart cards — Ability to use smart cards to log onto a windows -based 
domain. 


Operating System Security 


Prior to installing Windows 2000 Certificate Services, invoke the Windows 2000 security 
guide. File permissions, registry settings, password usage, user rights, and other issues 
associated with Windows 2000 security have a direct impact on Certificate Services 
security. Install the High Encryption pack that comes as an optional install with the 
Windows 2000 software. This package provides the capability to use strong cryptography 
by allowing certificates to be created using large cryptographic key lengths. 


Administrators should always check for hotfixes/patches and install them as directed, 
along with the latest service pack available from Microsoft. Available patches can be 
found at the Microsoft Download Center at http://www.microsoft.com/downloads. At the 
time of this writing, Microsoft had released no hotfixes or patches for Windows 2000 
CertificateServices 


Groups Used With Certificate Services 


Two global security groups are used for managing Certificate Services -- Cert Publishers 
and Enterprise Admins. These groups are used to define permissions on objects related 
to Certificate Services. Members can be added to these groups the same way members 
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are added to any other group in Windows 2000. The Enterprise Admins group can be 
used to delegate authority over the enterprise to selected individuals, freeing the 
administrator to perform other daily tasks. The members of the group can be granted 
permission to manage Certificate Services within an Enterprise. Examples of such tasks 
include backing up, restoring, and renewing CAs within an enterprise; maintaining CA 
Web pages; managing CA templates; maintaining CRLs; and mapping certificates to user 
accounts. Assigning permissions to allow the Enterprise Admins group to perform these 
tasks is discussed in the related sections within this document. Any CA server that needs 
to publish certificates to Active Directory must be a member of the Cert Publishers group. 
CAs are automatically added to the Cert Publishers group within their own domain. If a 
CA is required to publish certificates in another domain, it will have to be manually added 
to that domain’s Cert Publishers group. 


Public Key Cryptography Overview 


There are two basic kinds of cryptography -- symmetric cryptography and asymmetric 
cryptography. In symmetric cryptography, the same secret key is used for encryption and 
decryption. The key must only be shared between the encrypting party and the 
decrypting party. If someone else is able to obtain a copy of the secret key, they can also 
decrypt and read the message. Security for this type of cryptography is provided through 
the protection of the key being used by the sender and the receiver. As long as only the 
sender and receiver know the secret symmetric key value, the message is protected 
(assuming a robust encryption algorithm is used). 
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Public key (or asymmetric) cryptography is based on two halves of the same key that are 
“mirror images” of each other and are known as a “key pair’. Only one of the two halves 
of the key pair is required to encrypt a message with the corresponding half used for 
decryption. In public key cryptography, one half of the key pair is assigned to an 
individual who keeps it secret. This is called the “private key”. The other half is published 
in a public directory where all users can access it and is referred to as the “public key”. 
The sender encrypts a message with the public key of the receiver, which is retrieved 
from a public directory. The receiver uses the private component of his key pair, which 
only he has access to, to decrypt the message. Security is provided through the 
protection of this private key. 


Public Key Cryptography can also be used to provide three other very important security 
services: 


Authentication: a security mechanism that provides assurance that a message was 
actually sent by the person indicated in the “from:” field. 


Non-repudiation: a security mechanism that provides assurance that a sender of a 
message cannot later deny having sent it and the recipient cannot deny that it was 
received. 


Data Integrity: a security mechanism that provides assurance that a message has not 
been modified during transit. 


These security mechanisms are typically provided via use of a hash in conjunction with 
public key cryptography. A hash is an encoding scheme that is quick to compute. It 
results in a relatively short numeric representation of the message that was hashed. 
Hashes have two important characteristics that allow their use or authentication, non- 
repudiation and data integrity. 
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First, a hash is a one-way function -- this means that one cannot retrieve the message 
from the hash. Second, a hash has a low probability of collisions meaning that even a 
minor change in a message will result in a change of the hash value. 


A process that uses a hash in conjunction with public key cryptography to provide these 
security services is called “signing”. 


When a user signs a message, a hash of the message is calculated and then encrypted 
using the sender's private signing key. This encrypted hash is known as the “digital 
signature”. The original plaintext message, the digital signature, and the sender's signing 
certificate (which contains the sender's public signing key) are sent to the recipient. 
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On the receiving end, the digital signature is decrypted using the sender's public signing 
key that was sent along with the message in the form of the certificate. 


Additionally, the receiving client generates a hash on the plaintext message so it can be 
compared with the hash that was just decrypted. If the two hashes are the same the 
message must have originated from the sender, since he/she is the only one who holds 
the private component of this key pair (providing authentication and non-repudiation), and 
the message must be the same as was sent (providing data integrity). 


In this example the sender’s public key was transmitted along with the message. How 
does one prevent an unscrupulous user from simply generating his own key pairs and 
masquerading as someone else? Trust of keys is established via the use of a certificate. 


A certificate is a user's public key that has been digitally signed by a trusted authority 
called a Certification Authority (CA). When a certificate is received, its digital signature is 
checked to insure that someone the recipient trusts issued it. 


Certificate Chaining 


To be considered valid, all certificate chains must validate to a trusted root certificate. 
During a CA installation, these root certificates are distributed in one of three ways: 


m The Certificate Import Wizard of the Certificates snap-in can be used by an 
administrator to manually add the root certificate to the local machine (described 
in the Certificate Services Snap-Ins section of this document). 


m A domain administrator can distribute any root certificate to groups of computers 
within the forest using the public key group policy. If an external CA only needs to 
be trusted by a small number of computers within the enterprise, group policy 
can be used to apply the desired settings to only those computers requiring the 
trust. 


= Automatically added from Active Directory as a result of a domain administrator 
installing a CA or added by using the DSStore tool. 


In a CA hierarchy, several layers of CAs will exist. Part of the chain validation process 
involves retrieving and analyzing all intermediate certificates (subordinate CA certificates) 
in a certificate chain. It is possible that the client is missing all or part of the certificate 
chain used to validate a leaf certificate. Authority Information Access (AIA) locations, 
published in certificates by the enterprise CA, are used to tell the verifier of a certificate 
where to retrieve a CA’s certificate. An AIA typically uses LDAP, HTTP, or FILE uniform 
resource identifiers (URIs) to point to locations where the intermediate certificates reside. 


Smart card logon uses X.509 version 3 certificates as an alternative to using passwords 
for the Kerberos authentication process. In order for smart card logon to work, both the 
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domain controller and the client must have valid certificates from Windows 2000 
enterprise CAs. The smart card certificate must be issued by an enterprise CA within the 
forest. Each certificate in the certificate chain must be accessible. This means the 
certificates must reside on the local machine or accessible through the network and 
revocation information must be reachable. All revocation information must be time valid. 
Certificates in the certificate chain cannot be listed on the CRL. Both certificates must 
chain to trusted root certificates. The smart card certificate must be based on the 
SmartCard Logon or SmartCard User certificate template. If any of these requirements 
are not met, the logon will fail. 
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Public Key Cryptography Standards (PKCS) 


RSA Laboratories, in collaboration with Apple, Digital, Lotus, Microsoft, MIT, Northern 
Telecom, Novell and Sun, developed a family of standards describing data structures 
used with public key cryptography. These standards, identified by numbers 1-15, 
describe the syntax for digitally signing a message, encrypting a message, and ensuring 
a requester has an appropriate private key. A Windows 2000 Certificate Services CA 
uses the following PKCS numbers: 


™ PKCS #1 — describes how digital signatures are constructed using the RSA public 
key algorithm in conjunction with hash algorithms. It also describes how to represent 
RSA public keys and private keys. This standard is used in conjunction with PKCS #7 
for defining how to construct signed messages. 


™ PKCS #7 - describes how digital signatures and encryption are applied to any block 
of data. It also describes how other attributes, such as the message signing time, can 
be included in the message and protected by the same signature. A special form of a 
PKCS#7 message, degenerate message, is used for transporting certificates and 
CRLs. This standard also specifies how data can be encrypted using a symmetric- 
key algorithm to encrypt data and an RSA public key for encrypting the symmetric 
keys. 


™ PKCS #10 — describes how to construct a certificate request message. A certificate 
request consists of a public key and an optional set of attributes, such as the 
distinguished name or the e-mail name of the requester, which is signed by the 
private key matching the public key in the request. Windows 2000 Certificate 
Services uses this standard to receive certificate requests. Windows 2000 Certificate 
Services receives a request, processes it and will either issue the X.509 certificate to 
the request or deny the request. The information returned to the requester is either in 
the form of a single X.509 certificate or the certificate plus its chain up to the root 
certificate. This information is returned to the requester in the form of a degenerate 
PKCS #7 message. 
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Prior to configuring the Certificate Services, determine the hierarchy of the PKI. The 
number of CAs will depend on the size of the user community being serviced. It is 
recommended that the hierarchy consist of at least one root CA that only issues 
subordinate CA certificates. Place your root CA machine where it will be physically 
secure; i.e., behind a locked door where only authorized personnel can gain physical 
access to it. Ideally, the root CA will have no network connectivity and will not be a 
member of any domain. Several intermediate subordinate CAs can be used to issue 
certificates to the CAs providing end-entity certificates. Implementing a three-tier CA 
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hierarchy will provide flexibility and insulate the root CA from attempts to compromise its 
private key by malicious individuals. In small intranets, the middle layer of subordinate 
CAs can be eliminated within the hierarchy as long as the root CA is protected as 
described in this document. The answers to the following questions will determine he 
policy module selected during the Certificate Services installation process. 


Q Will you maintain your own root CA or require services from an external CA? 
When you choose to trust a root certificate, you are also choosing to trust 
certificates signed by that root. Maintaining your own stand-alone root CA 
provides more control over its security. 
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Q Are the services required for a Windows 2000 domain (intranet) only? If so, 
implement the enterprise policy module (discussed on page 10) on all 
subordinate CAs. 





Q Are the services required to support users and computers outside of a Windows 
2000 domain? A stand-alone policy module (discussed on page 11) is required 
for a CA that supports an environment that is not entirely Windows 2000. 


QO How many subordinate CAs are required? At least a three-tier hierarchy is 
recommended; however, in small intranets, a two-tier hierarchy may be 
implemented as long as the CAs are in a protected environment. If you are 
implementing a hierarchy to service a large number of users, consider having 
more than one CA available for enrollment into a forest. This ensures that at least 
one CA is always available to process requests. 


Other pre-installation considerations: 
Q Determine who in the enterprise will be permitted to enroll for certificates. 





Q Determine the types of certificates each CA will issue (user, client authentication, 
certificate trust list signing, secure email, etc.). The available templates offered 
by a CA will depend on the types of certificates the administrator permits the CA 
to issue. The Microsoft Management Console Help utility has a comprehensive 
list of certificate templates with a description of the type of certificate the template 
represents. (Perform a search on “Certificate Templates” to access this table) 


Root and Subordinate CA Installation 


Two choices for a policy module are available during the installation of Certificate 
Services: enterprise policy and stand-alone policy. A custom policy module can also be 
created; however, the stand-alone policy must be installed first, and then replaced with 
the custom policy module. The Microsoft Platform Software Development Kit has more 
information on creating custom policies for CAs. The policy selected will determine how 
the CA will process certificate requests, issue certificates, revoke certificates, and publish 
CRLs. The two policies also differ in how they handle interaction with Active Directory, 
authentication, and the use of templates. 


The CAs’ private keys provide the basis for trust in the certification process. For this 
reason, cryptographic hardware modules may be used to provide tamper-resistant key 
storage and to isolate the cryptographic operations from other software running on the 
server. Cryptographic hardware modules greatly reduce the likelihood of a CA’s key 
being compromised. It is recommended that hardware modules be used to secure 
signing keys of at least the root CAs. Prior to using a cryptographic service provider 
(CSP) other than the software CSPs included with Windows 2000, confirm with the 
vendor that it can work with Microsoft's Certificate Services. If it does, ask the vendor for 
documentation explaining how to operate Certificate Services with their CSP. 
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Windows 2000 CA Policies 


Enterprise Policy Module — A CA using the enterprise policy is referred to as an 
enterprise CA. Enterprise CAs are dependent on Active Directory and DNS. This is the 
recommended policy module for subordinate CAs within a Windows 2000 domain. 
Enterprise CAs make use of certificate templates to create certificates for a particular 
purpose and as a means of defining the enrollment policy for a forest. The use of these 
templates provides the CA with the following functionality: 
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™ Credential checks are enforced on users during certificate enrollment. Security 
permission is set in Active Directory for each certificate template that determines the 
authorization for the type of certificate requested. If the user is not authorized to 
receive the requested certificate type, the request is denied. Setting security 
permissions on templates is discussed later in this document in the Enterprise CA 
Templates section. 
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= §6The certificate subject name is automatically generated. 


= A predefined list of certificate extensions is added to the issued certificate from the 
template, reducing the amount of information a requester must provide regarding the 
certificate and its intended use. Two Microsoft-specific extensions are included with 
Windows 2000 enterprise CAs for management purposes: Certificate Template and 
CA Version. The Certificate Template extension is used to identify the template used 
to create the certificate. The CA Version extension is used to track how many times a 
CA has been renewed and the number of signing keys that are in the possession of 
the CA. 


To install an enterprise CA, choose an enterprise CA Certification Authority type during 
the installation of Windows 2000 Certificate Services. (See Figure 1) 








Windows Components Wizard Ea 
Certification Authority Type 
There are four types of certification authorities. 
Certification Authority types: Description: 






4, standard CA that can issue 


Enterprise root CA at 
certificates to any user or 


@ Enterprise subordinate CA computer in the enterprise. Must 
obtain a CA certificate from 

© Stand-alone root C4 another CA in the enterprise. 
Requires Active Directory. 

© Stand-alone subordinate CA ha 


[~ Advanced options 





< Back Cancel | 





Figure 1 Choosing Enterprise Subordinate CA for Certification Authority Type 


A Windows 2000 enterprise CA has the simplest administration model with the lowest 
overhead per certificate. It works with Active Directory and the Windows 2000 security 
model to minimize the administrative burden of issuing certificates while providing an 
integrated single point of management. An enterprise CA uses Active Directory as a 
registration database. A user created in a Windows 2000 domain is automatically 
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registered to all enterprise CAs in the forest. This lets users who have appropriate 
permissions request a certificate from any enterprise CA. The Windows 2000 security 
model is used to identify the user requesting a certificate and verifies their eligibility based 
on the user’s group membership. Enterprise CAs publish certificates and CRLs to Active 
Directory. Enterprise CAs can also issue certificates that can be used to logon to Windows 
2000 domains using smart cards. 


Stand-alone Policy Module — A CA using the stand-alone policy is referred to as a stand- 
alone CA. Stand-alone CAs do not typically make use of Active Directory. They can, 
however, take advantage of an Active Directory if it is available. A stand-alone CA is most 
often operated offline to povide a high degree of security. A Windows 2000 stand-alone 
CA can function independently of Active Directory and other components in the Windows 
2000 forest. It can also be installed on a Windows 2000 server in a Windows NT 4.0 
domain. To install a stand-alone CA, choose a stand-alone CA Certification Authority type 
during the installation of Windows 2000 Certificate Services. (See Figure 2) 


Windows Components Wizard x] 


Certification Authority Type 
There are four types of certification authorities. 








Certification Authority types: Description: 


The most trusted CA in a C4, 
hierarchy. Does not require 
© Enterprise subordinate CA Active Directory. 


g i yaaeeeed 
C Stand-alone subordinate C4 ia 






™ Enterprise root C4 





IV Advanced options 


< Back Cancel | 








Figure 2 Choosing Stand-alone Root CA for Certification Authority Type 


The stand-alone CA is a more secure implementation of the Certificate Services due to 
the fact that it generally is not connected to a network. This, however, requires more 
administrative overhead. Certificate requesters must explicitly supply all identifying 
information about themselves and the type of certificate desired (unlike the enterprise CA 
where information is taken from the Active Directory and the certificate type is described 
by a certificate template). By default, all requests sent to stand-alone CAs are set to 
pending and the administrator of the CA must verify the identity of the requester before 
the CA can satisfy the request. In addition, the administrator has to explicitly distribute the 
stand-alone CAs certificate to the domain user’s local trust root store and manually 
update CRLs on a regular basis. Detailed steps for creating an offline root CA can be 
found in the Microsoft Help pages. 
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Security Note: If a stand-alone root CA is installed with 
access to Active Directory, it is added to the Trusted Root 
Certification Authorities certificate store for all users and 
computers in the domain. However, it does not use Active 
Directory to verify a requester’s credentials. Therefore, do 
NOT change the default action (pending) of the CA upon 
receiving certificate requests. If the requests were not 
marked as pending, the trusted root stand-alone CA would 
automatically issue certificates without verifying the identity 
of the requester. 


Installation of either policy by a Domain o Enterprise Admin, on a network accessible 
machine, creates CA and CRL objects in Active Directory. Therefore, much of the 
certificate chain building process and certificate revocation checking takes place using 
LDAP queries to Active Directory. Also, the root certificate is placed in Active Directory, 
allowing all Windows 2000 clients on the enterprise network to automatically receive 
copies of that CA’s certificate. 


Both types of CAs can issue certificates for purposes such as digital signatures, secure 
e-mail using S/MIME, and authentication to a secure web server using Secure Sockets 
Layer (SSL) or Transport Layer Security (TLS). Enterprise CAs have some added 
capabilities due to the added security they provide when authenticating certificate 
requesters. Enterprise CAs can issue certificates for logging onto a Windows 2000 
domain using a smart card, and can issue certificates that can be used to authenticate 
the user from a Microsoft Internet Information Services server in the forest. Stand-alone 
CAs are not capable of providing this functionality. 


There can be more than one enterprise root CA in a Windows 2000-based domain, thus 
more than one hierarchy. It is also possible to mix and match stand-alone and enterprise 
CAs in a hierarchy to best suit your reeds. This is the recommended hierarchy. Create 
an offline stand-alone root CA that issues certificates to subordinate CAs only. These 
subordinate CAs can use the stand-alone policy as well, but would require a lot more 
administrator interaction, increasing the possibility of compromise. If the CAs will be 
supporting a Windows 2000 domain, enable the subordinate CAs to implement the 
enterprise policy and take advantage of the added security features it provides. An offline 
root CA provides assurance that it cannot be easily compromised, and any compromised 
subordinate CA on the network can be safely revoked. 


Exit Policy Module 


The exit module provided with Windows 2000 allows certificate publication to Active 
Directory or the file system, determined by what the certificate request specifies. It also 
publishes CRLs to specified URLs. The exit module determines where the CA publishes 
the CRL. The CA server must be a member of the Cert Publishers group in Active 
Directory to publish certificates in a domain. When certificates are published in Active 
Directory, they are associated with the object in Active Directory to which they were 
issued. A custom exit module can be created to replace an existing exit module, but this 
is not generally required. Guidelines for creating a custom exit module can be found in 
the Microsoft Platform Software Development Kit. 
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Enterprise CAs 


Enterprise CAs are typically installed if certificates will be issued to users or computers 
within an organization using a Windows 2000 domain. All certificate requesters MUST 
have an entry in the Windows 2000 Server Active Directory. The enterprise root CA is the 
trust point in the enterprise. All other subordinate CAs are trusted only because the root 
is trusted. It is recommended that the enterprise root CA be configured to only issue 
certificates to subordinate CAs within the hierarchy. Subordinate CAs can then be setup 
to issue certificates to issuing CAs, which issue certificates to end-users. 


Enterprise Root CA 


(Most of this information was taken from Microsoft's “Install an enterprise root certification 
authority” Help page) 


Q Log on to the system as a Domain Administrator. 
Q Click Start, point to Settings, and then click Control Panel. 


Q Double-click Add/Remove Programs and then click Add/Remove Windows 
Components. 





Q In the Windows Components wizard, select the Certificate Services check box. If 
you intend to use the optional Web components, make sure IIS is also checked. 
IIS must be installed in order to use this feature. A dialog box will appear to 
inform you that the computer cannot be renamed, and the computer cannot be 
joined to or removed from a domain after Certificate Services is installed. Click 
Yes and then click Next. 


Q Click Enterprise root CA. This option will be automatically selected. If another CA 
is already registered, the enterprise subordinate CA will be selected. If Active 
Directory is not available, the two enterprise options will be disabled. 


Q Select the Advanced options check box to specify the options listed in Table 3. 


Table 3 Details of “Advanced Options” When Selecting Enterprise Root CA 


Advanced Ganiment 
option 


The default is the Microsoft Base Cryptographic Provider, however, it is 
recommended that the optional High Encryption package be installed on all CAs 
and the Microsoft Enhanced Cryptographic Provider v1.0 be used instead. Other 
enhanced CSP options are available after the installation of the High Encryption 
package and may also be used if they are appropriate for your configuration. 
Certificate Services does support third party CSPs, but you must refer to the CSP 
vendor's documentation for information about using their CSP with Certificate 
Services. 


Hash algorithm |The default is SHA-1. 


provider (CSP) 


If you select this option, you can use an existing public key and private key pair 
Existing keys |instead of generating new ones. This is generally not recommended, but is useful if 


you are relocating or restoring a previously installed CA. 
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The default key length using the Microsoft Base Cryptographic Provider is 512 bits. 
Default key lengths for other CSPs vary. In general, the larger the key length, the 
more secure the key is. The High Encryption pack enables the CA to issue 
certificates with larger key lengths than those provided by default. Keep in mind, 
however, key lengths larger than 2048 take longer to generate and may have an 

Key length [impact on network performance. A CA should use the largest key length available 
that is compatible with the hardware configuration and the applications being used. 
Be aware that some hardware devices and older applications may not support very 
long key lengths (i.e., 4096 bits). For example, space limitations on some smart 
cards prevent the use of key lengths greater than 2048 bits. (This option is not 
available if you select to use existing keys). 
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Windows Components Wizard 





Public and Private Key Pair 


Select a cryptographic service provider (CSP) and the settings to be used in 
generating 4 key pair, or use an existing key pair. 



















CSP: Hash algorithm: 
Microsoft Base Cryptographic Provider v1.0 MD4 a 
Microsoft Base DSS Cryptographic Provider MD5 





Microsoft Enhanced Cryptographic Provider v1.0 
Microsoft Exchange Cryptographic Provider v1.0 


> . 


Key length: 





T- Use existing keys 
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View Certificate 
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1S DCOM ClientAdministratorS-1-5-2 
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J” Use the associated certificate 
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Figure 3 Enterprise Root CA - Advanced Options 


Q When configuration is completed, click Next. 





Q Type the name of the certification authority and other necessary information. 
None of this information can be changed after the CA setup is complete. CA 
names are bound into their certificates and cannot change. When naming the 
CA, consider factors such as organizational naming conventions and future 
requirements. (See Figure 4) 
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Windows Components Wizard ; xi 
CA Identifying Information 
Enter information to identify this CA 


C4 name: [MycaNeme 
Organization: [MyQrganization 
Organizational unit: [My Unit 
City: Batimore 
State or province: [Mayland Country/region: jus 
E-mail: [Admin@myemaiaddess 
CA, description: cme | 
Valid for: [3 [Yeas ¥] Expires: [9/22/2003 3:40 AM 
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Figure 4 Enterprise Root CA - Identification Information 


Q In Validity duration, specify the validity duration for the root CA. Click Next. The 
validity duration chosen for the CA will determine when the CA "expires." 
(Recommend setting this to 5 years for low assurance CAs and 3 years for 
medium to high assurance CAs. Information on enewing CAs will be discussed 
later in this document.) 


Q Specify the storage locations of the certificate database, the certificate database 
log, and the shared folder. Click Next. (See Figure 5) 
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Windows Components Wizard Ea 


Data Storage Location 
Specify the storage location for the configuration data, database and log 








Certificate database: 


[CAWINNT\System32\CertLog Browse... | 


Certificate database log: 


[c: \WINNT\System32\CertLog Browse... | 


I Store configuration information in a shared folder 
Shared folder: 


[E-\shared folder location Browse... | 
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[| Preserve evisting certificate database 








Figure 5 Enterprise Root CA - Data Storage Location 


NOTE: It is a good idea to specify a shared folder location to 
store CA configuration information. Make it a Universal Name 
Convention (UNC) path and have all CAs point to the same 
folder. This way administration tools can be used to 

bs determine CA configuration in the event the Active Directory 
is unavailable. 


Q If the World Wide Web Publishing service is running, you will see a request to 
stop the service before proceeding with the installation. Click OK. 





Q ‘If prompted, type the path to the Certificate Services installation files. 


NOTE: The enterprise root CA selection requires that the 
host computer be a member of a domain and that it use 
Active Directory. For this reason, the administrator installing 
an enterprise CA must have Write permission to Active 
Directory. 


If the administrator has Write permission to Active Directory, 
specifying the shared folder is optional; however, it is 
recommended. 


Stand-alone CAs 


A Stand-alone policy module is generally selected if a CA will be used to issue 
certificates to entities outside of an organization; the CA is supporting a non-Windows 
2000 domain; or the use of Active Directory, or other Windows 2000 PKI features, is not 
desired. It is a good idea to configure a stand-alone CA as your root CA. Keep it offline 
once it is configured, physically secured, and enforce a two-person control on all actions 
taken on the CA through your security policy. This could be accomplished by placing the 
root CA behind a door with dual combo locks. This would then require two individuals in 
order to gain physical access to the root CA. These extra security measures would 
minimize the opportunity of a malicious administrator to manipulate critical certificate 
services’ files. 
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Stand-alone Root CA 


(Most of this information was taken from Microsoft's “Install a stand-alone root 
certification authority” Help page) 


Q Log on to the system as an Administrator, or if you have Active Directory, log on 
to the system as a Domain Administrator. 


Click Start, point to Settings, and then click Control Panel. 
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Double-click Add/Remove Programs and then click Add/Remove Windows 
Components. 
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Q In the Windows Components wizard, select the Certificate Services check box. A 
dialog box will appear to inform you that the computer cannot be renamed, and 
the computer cannot be joined to or removed from a domain after Certificate 
Services is installed. Click Yes and then click Next. 


Click Stand-alone root CA. 





Select the Advanced options check box and apply the desired settings (refer to 
Table 3 to determine the appropriate settings for these fields). 





Windows Components Wizard 


Public and Private Key Pair 


Select a cryptographic service provider (CSP) and the settings to be used in 
generating 4 key pair, or use an existing key pair. 





















CSP: Hash algorithm: 

Microsoft Base Cryptographic Provider v1.0 MD4 a 
Microsoft Base DSS Cryptographic Provider MD5 

Microsoft Enhanced Cryptographic Provider v1.0 

Microsoft Exchange Cryptographic Provider v1.0 hal = 
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View Certificate 


Microsoft Internet Information Server 
MS 1S DCOM ClientAdministratorS-1-5-2 
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Figure 6 Stand-alone Root CA — Advanced Options 


OQ When you are done, click Next. 





Q Type the name of the certification authority and other necessary information. 
None of this information can be changed after the CA setup is complete. CA 
names are bound into their certificates and cannot change. When naming the 
CA, consider factors such as organizational naming conventions and future 
requirements. 
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Windows Components Wizard |X| 


CA Identifying Information 
Enter information to identify this C4, 








CA name: [TestStandtloneRootCA 
Organization: [MyOrganization 
Organizational unit: [My Organizational Unit 
City: [Batimne 
State or province: [MD Country/region: [us 
E-mail: fAdmin@emaaddess 
CA description: [Root CAforliSTestdomard 
Valid for: 3 [Yeas +] Expires: [5/18/2004 11:22at 
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Figure 7 Stand-alone Root CA - Identifying Information 





Q In Validity duration, specify the validity duration for the root CA. Click Next. The 
validity duration chosen for the CA will determine when the CA "expires." 
(Recommend setting this to 5 years for low assurance CAs and 3 years for 
medium to high assurance CAs. Information on renewing CAs will be discussed 
later in this document.) 


Q Specify the storage locations of the certificate database, the certificate database 
log, and the shared folder. Click Next. If Active Directory is available and you 
have Write permission to Active Directory, then specifying the shared folder is 
optional; however, it is recommended. 
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Windows Components Wizard x] 


Data Storage Location Bs 
Specify the storage location for the configuration data, database and log ES | 





Certificate database: 


[c: \WINNT\System32\CertLog Browse... | 


Certificate database log: 


[c: \WINNT\System32\CertLog Browse... | 


IV Store configuration information in a shared folder 
Shared folder: 


[E-\shared folder location Browse... | 


J. Preserve evisting certificate database 
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Figure 8 Stand-alone Root CA — Data Storage Location 


If the World Wide Web Publishing Service is running, you will receive a request 
to stop the service before proceeding with the installation. Click OK. 


If prompted, type the path to the Certificate Services installation files. 


Subordinate CA 
Follow the same instructions for Enterprise and Stand-alone. 


(Most of this information was taken from Microsoft's “Install an [enterprise/stand-alone] 
subordinate certification authority” Help page) 


Q 
Q) 
Q 





Log on to the system as a Domain Administrator. 
Click Start, point to Settings, and then click Control Panel. 


Double-click Add/Remove Programs and then click Add/Remove Windows 
Components. 


In the Windows Components wizard, select the Certificate Services check box. A 
dialog box will appear to inform you that the computer cannot be renamed, and 
the computer cannot be joined to or removed from a domain after Certificate 
Services is installed. Click Yes and then click Next. 


Click desired subordinate CA type, i.e., Enterprise or Stand-alone subordinate CA. 
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: Requires Active Directory. 
Stand-alone subordinate CA ha 


T- Advanced options 








Figure 9 Choosing Enterprise Subordinate CA 


Q Select the Advanced options check box and apply the desired settings (refer to 
Table 3 to determine the appropriate settings for the fields shown in Figure 10). 
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Windows Components Wizard 





Public and Private Key Pair 


Select a cryptographic service provider (CSP) and the settings to be used in 
generating a key pair, or use an existing key pair. 





ESEs Hash algorithm: 


MD4 
MD5 










Microsoft Base Cryptographic Provider v1.0 
Microsoft Base DSS Cryptographic Provider 
Microsoft Enhanced Cryptographic Provider v1.0 
Microsoft Exchange Cryptographic Provider v1.0 
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Key length: 





I Use existing keys 


é Import... | 
icrosoft Internet Information Server 


SHS DCOM ClientAdministratorS -1-5-21-122094 


IIS DCOM ClientadministratorS-1-5-21-674779 8) _ View Cettiicate 


J- | Use the associated certificate 
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Figure 10 Subordinate CA — Sample Dialog Box for “Advanced Options” 
When you are finished, click Next. 





Type in the name of the CA and other necessary identifying information. None of 
this information can be changed after the CA setup is complete. CA names are 
bound into their certificates and cannot change. When naming the CA, consider 
factors such as organizational naming conventions and future requirements. 
Click Next. 
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Windows Components Wizard fea 


CA Identifying Information 
Enter information to identify this CA 


CAé name: [TestEnterpriseSubCA 
Organization: [MyOrganizatin 
Organizational unit: [My OrganizationalUrit 
City: [Batimne 
State or province: [MD Country/region: jus 
E-mail [Admin@emailaddess 
C4, description: [Sub CA forlISTestdomain 
Valid for [DeterminedbypaentCA 
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Figure 11 Subordinate CA — Identifying Information 





Q Specify the storage locations of the certificate database, the certificate database 
log, and the shared folder. Click Next. 
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Windows Components Wizard 


Data Storage Location 
Specify the storage location for the configuration data, database and log 








Certificate database: 


[c: \WINNT\System32\CertLog Browse... | 


Certificate database log: 


[c: \WINNT\System32\CertLog Browse... | 


IV Store configuration information in a shared folder 
Shared folder: 


[E-\shared folder location Browse... | 
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Figure 12 Subordinate CA — Data Storage Location 


The enterprise subordinate CA selection requires that the host computer be a member of 
a domain and that it use Active Directory. The administrator who is installing an 
enterprise CA must have Write permission to Active Directory. If you have Write 
permission to Active Directory, then specifying the shared folder is optional; however, it is 
recommended. 


Q Obtain the certificate for the subordinate CA. For instructions on how to do this, 
see the following NOTE. 


Q If the World Wide Web Publishing Service is running, the system will request that 
you stop the service before proceeding with the installation. Click OK. 





Q ‘If prompted, type the path to the Certificate Services installation files. 


NOTE: To obtain the certificate for a subordinate CA, you 
must submit a certificate request to a parent CA. The 
procedure for doing so differs depending on whether or not 
the parent CA is available online. 


If a parent CA is available online: 
Q Click Send the request directly to a CA already on the network. 


Q In Computer Name, type the name of the computer on which the parent CA is 
installed. 





Q In Parent CA, click the name of the parent CA. 
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If a parent CA is not available online: 
Q Click Save the request to a file. 


Q In Request file, type the path and file name of the file that will store the request. 





Q Obtain this subordinate CA's certificate from the parent CA. 


The procedure for doing this will be unique to the parent CA. At a minimum, the parent 
CA should provide a file containing the subordinate CA's newly issued certificate and, 
preferably, its full certification path. 


If there is a subordinate CA certificate that does not include the full certification path, the 
new subordinate CA being installed must be able to build a valid CA chain when it starts. 
Thus, the parent CA's certificate must be placed in the Intermediate Certification 
Authorities certificate store of the computer (if the parent CA is not a root CA), as well as 
the certificates of any other intermediate CA in the chain. The certificate of the root CA 
also must be placed in the chain into the Trusted Root Certification Authorities store. 
These certificates should be installed in the appropriate certificate store before the CA 
certificate is installed on the newly created subordinate CA. Follow the instructions 
described in the Certificate Store and Active Directory section of this document to install 
required parent CA certificates. The following describes the steps for installing the 
subordinate CA’s certificate once all the CA certificates in the chain have been installed: 


Q Open Certification Authority by clicking Start, point to Programs, point to 
Administrative Tools, and then click Certification Authority 


In the console tree, click the name of the CA. 


On the Action menu, point to All Tasks, and then click Install CA Certificate. 





Locate the certificate file received from the parent CA, click this file and then click 
Open. 


Renewing CA Certificates 
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A CA cannot issue certificates beyond the end of its validity period. When a CA reaches 
the end of its validity period, all certificates issued by that CA expire. This is done to 
ensure that a CA that has deliberately not been renewed cannot have the certificates 
issued by it used as valid security credentials. These certificates will no longer be valid, 
even if they have not reached the end of their own validity period. 


As a CA nears the end of its validity period, it will issue certificates with shorter and 
shorter validity periods. To avoid the problem of issuing certificates with VERY short 
validity periods, have a plan in place to renew the CA well before the end of its validity 
period. 


Renewing certificates takes advantage of the inherent trust relationship of the existing 
certificate. It is useful to renew a certificate if the new certificate will maintain all of the 
same attributes as the current certificate, while extending the validity period. 


Since others rely on the root CA’s certificate to form a certificate chain, and the life of a 
root CA will most likely outlast its validity period, the root CA must be able to renew its 
certificate. Two options are available when renewing certificates: renew using existing 
signing keys and renew using new signing keys. The most secure approach is to renew 
certificates using NEW keys. There are circumstances where it is appropriate to use 
existing keys. For example, if a CA must be restored following a hardware failure or if the 
CA must be restored following a relocation. Renewing root CA and _ intermediate 
subordinate CA certificates using existing keys may be an option for some sites as long 
as the CAs are offline, physically secured and implement a two-person control policy for 
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accessing the CA. This strategy allows others who rely on the CA certificate to verify 
certificates signed by it prior to actually having the new certificate. Relying parties can 
obtain the new certificate any time after it has been created, especially after it has been 
used to issue new certificates. This is not recommended for CAs used in highly 
sensitive/highly secure environments. 


CAs that issue certificates to users and computers should be renewed 6-12 months prior 
to the end of their validity period using NEW keys. Issuing CAs are online and interact 
with users much more frequently than root or subordinate CAs, making them more 
susceptible to attack. Using this strategy makes an attack on any one key less valuable 
to a hacker because the compromised key would have a limited lifetime. In highly secure 
areas and in small intranet environments, renewing certificates using new keys is the 
most secure strategy for all CAs in the enterprise. 


To ensure the security of any CA, select a long key length during installation, which is 
more secure against brute force attacks. This makes it possible to use the same private 
key for a longer period of time without fear of compromise. With today’s technology, a 
key-length of 4096 is expected to be relatively safe against brute force attack for 15-20 
years. Do not mistake this to mean that issuing certificates with long validity periods is 
recommended. The longer the certificate is valid, the greater the uncertainty of 
compromise posed by future developments in technology. A recommended strategy is to 
create CA certificates using the longest key length available that is compatible with the 
site’s configuration. Set the validity period for the root CA certificate to 35 years. Renew 
the root certificate 1 year prior to the end of the validity expiration date with a new key 
pair and extended validity period of 3-5 years. 


When a new key is used, a new CRL Distribution Point (CDP) is created, making CRL 
management easier. For CAs that issue large numbers of certificates and, possibly 
revoke large numbers of certificates, you can avoid the problem of having to distribute a 
very large CRL by renewing the CA with a new key well before the end of its validity 
period. This causes the CA to publish to the new CDP a separate CRL for the revoked 
certificates it has issued using the new key. t will also continue to publish a CRL to the 
old CPD for certificates signed with the old key for as long as those revoked certificates 
have not reached the end of their validity period. This strategy reduces the size of the 
CRL a certificate verifier has to download when presented with a certificate from an 
issuing CA. 


Below are the procedures for renewing a CA certificate: 


Q In the Certificate Authority snap-in, right-click the root CA, select All Tasks, 
Renew CA Certificate. 


Q Since Certificate Services cannot be running during this operation, you will be 
prompted to stop Certificate Services. Click Yes. 


OQ The Renew CA Certificate window appears. Select Yes or No to generate a new 
key pair. Almost always Yeswill be the selected option. (See Figure 13) 





Q Certificate Services will then restart with a new validity period for the renewed CA 
certificate. 
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If the CA certificate being renewed belongs to a subordinate CA, the request must be 
submitted to a parent CA. Retrieve the new certificate and install it using the same 
procedures for installing the initial certificate. 


It is important to note that whenever a CA is renewed, all 
automatic certificate enrollment objects that enroll for 

| certificates from that CA must be recreated using the same 
procedures described in the Enterprise CA Templates 
section of this document. 
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In addition to obtaining 4 new certificate for your certification authority (CA), you also 
have the option of generating a new signing key. 


You need a new certificate for your C4 when: 


The lifetime of the certificates you are currently issuing is reduced. 


‘You need 4 new signing key when: 
oO” The signing key is compromised. 


‘You have a program that requires a new signing key to be used with a 
new CA certificate. 


The current certificate revocation list (CARL) is too big, and you want to 
move some of the information to a new CRL. 


Do you want to generate a new public and private key pair? The cryptographic service 
provider, key length, and hash algorithm settings will be preserved. 


@ Yes 
™ No 





Cancel | 


Figure 13 Renewing a CA Certificate 
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Managing Certificates Using the MMC 


The Microsoft Management Console (MMC) provides auser interface shell application, 
called a console. The objective is that all management functions are accessible by a 
subordinate process running within a console. These processes are known as Snap-ins. 
The MMC itself does not provide any management behavior, but it offers a common 
environment for snap-ins. The result is that management and administrative control of the 
platform is centralized. 





Certificate Services Snap-4tns 


A Certification Authority snap-in and a Certificates snap-in are available for Certificate 
Services. During the installation of Certificate Services, a console is created with the 
Certification Authority snap-in loaded. This snap-in can be accessed from the 
Start Programs Administrative Tools Certification Authority menu item. 


The Certification Authority snap-in is used to control the types of templates the CA will 
make available to users, set permissions (manage, enroll, read) on the CA, and display 
certificate information such as issued, revoked, and pending certificates. 


{& Certification Authority 


|| action vew |e >| Om | |e 








Name intended Purpose 


Certification Authority (Local) GaEFS Recovery Agent File Recovery 
1-44 TestEnterpriseSubCa Gpasic EFS Encrypting File System 


(9 Revoked Certificates Galpomain Controller Client Authentication, Server Authentication 
(J Issued Certificates Galweb Server Server Authentication 
(5) Pending Requests Gal subordinate Certification Authority 
(4) Failed Requests ini: Code Signing, Microsoft Trust List Signing, Encrypting ... 
‘y Policy Settings . Client Authentication, Server Authentication 
Encrypting File System, Secure Email, Client Authentic... 





Figure 14 Certification Authority Snap-In 


A snap-in extension is available for the Certification Authority snap-in (See Figure 15). The 
Certification Authority Policy Setting extension allows the administrator to select the types of 
certificates the CA will be permitted to issue. 
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Add/Remove Snap-in 


Standalone Extensions | 


Use this page to enable snap-in extensions. To add a particular extension 
select the checkbox next to it. 


Snap-ins that can be extended: 
fe] Certification Authority 


IV Add all extensions 


Available extensions: 
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Description 


The Certification Authority Policy Settings extension allows you to select 
the types of certificates to issue when using the Enterprise Policy 
Module. 


Downloa 





Figure 15 Add/Remove Snap-in Extensions 


Select the Policy Settings folder to view a list of templates the CA can be configured to 
issue (See Figure 14). Delete templates by right-clicking the template you wish to 
remove and select Delete. To add a certificate template, right-click the Policy Settings 
folder and select New — Certificate to Issue. A list of templates and a description of their 
purpose is displayed (See Figure 16). Select ONLY the certificate templates your CA is 
required to issue and click OK. The new template will then be displayed in the right pane 
of the Certification Authority window. This is where the administrator can control the types 
of certificates the CA will make available to requesting users. More information regarding 
certificate templates can be found in the Enterprise CA Templates section of this 
document. 
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Select Certificate Template 


Select a certificate template to issue certificates 


ee | User Signature Only Secure Email, Clier 
Ga] Smartcard User Secure Email, Clier 
G2] Authenticated Session Client Authenticatic 


Ga] Smartcard Logon Client Authenticatic 
Pe Code Signing Code Signing 
Ge Trust List Signing Microsoft Trust List 

4 F nrollment Anent Certificate Request 


Cancel | 


Figure 16 Selecting Certificate Template 





It is very important to set security permissions and delegate control of CAs. Right-click 
the CA name you want to set security permissions on and select properties. The default 
permissions grant local Administrators, Domain Admins and Enterprise Admins full 
control over the CA (manage, enroll, and read permissions). Authenticated users are 
given the ability to enroll and read (See Figure 17). Unless your security policy requires a 
change to this setup, these permission settings are sufficient. If a user other than an 
administrator is required to manage the CA, an administrator could grant this user the 
permission to manage, thereby allowing control of the CA to the user without granting 
administrative privileges over the entire server. 

NOTE: ALWAYS use the Certification Authority snap-in to 

set permissions on CAs. Using other tools, such as Active 


Directory Sites and Services snap-in, may create problems 
when users attempt to access the CA. 
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TestEnterpriseSubCA Properties 


General | Policy Module | Exit Module | Storage Security 


Name Add... 


@ Administrators [WIN2K Administrators] 
: Remove | 
Authenticated Users 


#8 Domain Admins [(IISTEST Domain Admins} 
@ Enterprise Admins (IISTEST Enterprise Admins] 





Permissions: Allow Deny 


Manage 
Enroll 
Read 


Advanced... | 


| Allow inheritable permissions from parent to propagate to this 
object 


& pp ly 





Figure 17 Setting Security Permissions for CA Control 


Certificate Store and Active Directory 
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Certificates, CRLs, and certificate trust lists are stored in a permanent location for access 
by users. This permanent location is called a certificate store. Certificate stores manage 
certificates and their associated properties. An enterprise root certificate store is located 
on the local machine. There is also an enterprise root certificate store in Active Directory. 
When a domain administrator installs a Windows 2000 root CA, using the enterprise 
policy or stand-alone policy, the enterprise root certificate store is updated with the new 
certificate. A Windows 2000 Resource Kit tool, DSStore, is also available to 
administrators to add an offline stand-alone CA certificate to the store. The contents of 
the root certificate store in Active Directory are downloaded to each computer in the 
enterprise during bootup, when an auto-enrollment event is pulsed (about every eight 
hours), during group policy updates, or when manually pulsed using the DSStore. In this 
way, root certificates can be distributed to all computers in the forest. Active Directory is 
used as a certificate store by enterprise CAs to publish trusted root certificates, issued 
certificates, and CRLs. During the installation of an enterprise CA, and a stand-alone CA 
with access to Active Directory, information concerning the CA is written into a CA object 
in Active Directory. Domain clients use this information to find out about available CAs 
and the types of certificates they issue. 
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To view a computer’s certificate store, the Certificates snap-in can be used. This is 
helpful when you want to verify that a certificate has been issued for the computers within 
the domain. Follow these steps to load the Certificates snap-in into a new MMC. 


Click Start > Run and type “MMC” in the Open box. Click OK 
On the Console menu, select Add/Remove Snap-in 
Click Add 


O oO O 





Q Select Certificates from the list of displayed snap-ins and click Add (See Figure 18). 
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| Console Window — Help | Deh) 
Add Standalone Snap-in 
im Cons 
Actior Standalone | Extensions | Available Standalone Snap-ins: 


Tree | F Use this page to add or r 
“ls Active Directory Domains and Trusts Microsoft Corporation 


Cons Snap-ins added to: IS i Active Directory Sites and Services Microsoft Corporation 
active Directory Users and Computers Microsoft Corporation 
Fa ActiveX Control 
2+ Certificates Microsoft Corporation 
fea) Certification Authority Microsoft Corporation 
@ Component Services Microsoft Corporation 
I Computer Management Microsoft Corporation 
a} Device Manager Microsoft Corporation 
eS Disk Defragmenter Executive Software Inte... +| 


Description 


The Certificates snap-in allows you to browse the contents of the 


= certificate stores for yourself, a service, or a computer. 
Description —— 


-— 





Figure 18 Adding Certificates Snap-in 


A window will be displayed allowing you to choose the certificates to be managed through 
this snap-in. You can choose to manage user certificates, service certificates, and 
computer certificates (See Figure 19). Following this snapshot, there is an example of an 
MMC where My user account and Computer account have been selected, resulting in 
separate snap-ins (See Figure 20). When Computer account is selected, you have the 
option to choose the local machine or another machine. If another machine is selected, 
type in its name or click the browse button to select a computer on the network. When the 
snap-in is expanded, a list of available certificate stores is displayed. 


UNCLASSIFIED | 


UNCLASSIFIED 


Certificates snap-in 


This snap-in will always manage certificates for: 


@ My user account 
Service account 


© Computer account 
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Figure 19 Selecting Account for Certificate Management 


| Action view Favorites || = = | @i/ma| ES | @ 


Tree | Favorites | 
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f ED certificates - Current User 
e Certificates - Current User E® certificates (Local Computer) 
() Personal 

(9 Trusted Root Certification Authorities 

() Enterprise Trust 

(5) Intermediate Certification Authorities 

{) Active Directory User Object 

(3) REQUEST 

E-) Certificates (Local Computer} 

(9 Personal 

(} Trusted Root Certification Authorities 

-() Enterprise Trust 

(J Intermediate Certification Authorities 

(J REQUEST 





























Figure 20 Creating MMC Snap-ins 


This snap-in provides a means for the administrator to manage certificates. Select any 
container (certificate store) to display a list of certificates for that store. To install a 
certificate into a store: 


Q Right-click the store where the certificate will be placed (in this example an 
intermediate certificate will be placed into the Intermediate Certification 
Authorities store to complete a certificate chain to the root CA). 





Q Select All Tasks = Import from the pull-down menu. This starts the Import 
Wizard. 

Q Fill in the appropriate information pertaining to the certificate to install (See 
Figure 21). 
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Certificate Import Wizard 


File to Import 
Specify the File you want to import. 


File name: 


C:\win2k.1ISTest.gov_TestEnterpriseSubCA.crt 


Note: More than one certificate can be stored in a single file in the Following formats: 
Personal Information Exchange- PKCS #12 (,PFX,.P12) 
Cryptographic Message Syntax Standard- PKCS #7 Certificates (.P7B) 
Microsoft Serialized Certificate Store (.55T) 





Cancel 


Figure 21 Certificate Import Wizard - Selecting File to Import 


Q Select the appropriate Certificate Store to install the certificate (See Figure 22). 
The wizard will display the information for the Administrator to verify. Verify and 
select Finish. The certificate is now listed in the selected certificate store. 
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Certificate Import Wizard 


Certificate Store 
Certificate stores are system areas where certificates are kept, 





Windows can automatically select a certificate store, or you can specify a location for 
© Automatically select the certificate store based on the type of certificate 


@ Place all certificates in the following store 
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Certificate store: 
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Intermediate Certification Authorities Browse... | 











< Back Cancel | 


Figure 22 Certificate Import Wizard — Selecting Certificate Store 


Q In the Trusted Root Certification Authorities and Intermediate Certification 
Authorities stores, many CA certificates are installed by default. It is important to 
delete all untrusted CAs, making sure only trusted CAs are listed in these 
certificate stores.(See Figure 23) 


Q Expand the Personal folder under the Local Computer Certificates and click the 
Certificates folder (store). (See Figure 24) All certificates issued to the local 
machine are listed in the right pane. Double-click any certificate in the store to 
view its details. Figure 25, Figure 26, and Figure 27 show examples of the 
certificate window's General, Details, and Certification Path tabs, respectively. 
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"Ta Console1 


Console Window Help || () ca ted | El 


Tai Console Root'Certificates (Local Computer)\ Intermediate Certification Authorities'Certificates Fils) 3 


| Action Yiew Favorites | = =» | ma) | eB Does 
Tree | Favorites | Issued B 


Console Root 
=) Certificates (Local Com 
=) Personal 


nf 9) Certificates 

+) (5) Trusted Root Certif 

+) Enterprise Trust 

=|. Intermediate Certif 
oo) Certificate Rev 
A) Certificates 

(5) REQUEST 


+) spc 





Figure 23 Deleting Untrusted CA 


"T”~ Console Root',Certificates (Local Computer)\Personal\Certificates 


| Action View Favorites |¢ »>|Glm|@|\2ib|e 
Tree | Favorites | 


(9 Console Root ] |@testenterprisesubca TestEnterpriseRootCA 
iS _ Certificates (Local Computer) win2k.1sTest.gov TestEnterpriseRootCA 


=) Personal 

|. <5 Certificates 

-() Trusted Root Certification Authc 
{9 Enterprise Trust 


)~-( Intermediate Certification Autha = 
> { 4 


OO ne euires 


Personal store contains 2 certificates, 


Figure 24 Personal Certificates 
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Certificate HE 


General | petails | Certification Path | 


Certificate Information 


This certificate is intended to: 


*Ensures the identity of a remote computer 
*Proves your identity to a remote computer 
*Ensures software came From software publisher 
*Protects software from alteration after publication 
*Protects e-mail messages 

*Allows data to be signed with the current time 
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Issuedto: TestEnterpriseSubC4 


Issued by: TestStandAloneRootcA 


¥alid from 5/18/2001 to 5/18/2003 





Figure 25 Certificate - General Tab 


Certificate 20x! 


General Details | certification Path | 





version V3 

Iserial number 6134 C6D5 0000 0000 0002 
|signature algorithm shalRSA 

issuer TestStandAloneRootca, My 0... 

| valid From Friday, May 18, 2001 11:22:3... 

| valid to Sunday, May 18, 2003 11:32... 

= Jsubject TestEnterpriseSubCA, My Org... 
JPublic key RSA (2048 Bits) hd 


Figure 26 Certificate — Details Tab 
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Certificate 21x! 


General | Details Certification Path | 





~ Certification path 


TestStandAloneRootCA 
f=] TestEnterpriseSubCA 
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View Gertificate 














Certificate status: 
This certificate is OK. 





Figure 27 Certificate — Certification Path Tab 


Enterprise CA Templates 


A certificate template profiles certificates based on their intended use. A certificate 
requester, depending on their access rights, is able to select from a variety of certificate 
types based on certificate templates. This prevents the user from having to provide 
detailed information about the type of certificate that is needed. Instead, they can select a 
template name that indicates the purpose of the certificate. An enterprise CA 
administrator can select specific certificate types that the CA is permitted to issue using 
templates. Initially, only the Administrator, Domain Controller, Computer, Basic EFS, EFS 
Recovery Agent, User, and Web Server templates are made available to certificate 
requesters. The Microsoft Management Console Help utility provides a table listing other 
templates an administrator can choose to make available, along with their purpose and 
whether the type of certificate is issued to people or computers. Search for “Certificate 
Templates” to access the table. To make other types of certificate templates available to 
requesters: 


QO Open the Certification Authority snap-in 
Select CA Name — Policy Settings 





Q 
QO Onthe Action menu, select New - Certificate to Issue 
Q 


Select the new certificate template to use and click OK 
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To stop issuing certificates of a particular type: 


Q In the details pane of the Policy Settings, select the certificate template you no 
longer want to issue from the CA 





QO Onthe Action menu, select Delete 


NOTE: The only templates that should be made available to 
certificate requesters are those the CA is required to issue 
according to the site’s security policy. 


Templates define the information that goes into a certificate, certificate extensions, and 
the origin of the information. Various templates are published in Active Directory and are 
global across a Windows 2000 forest. Single-purpose and multi-purpose templates can 
be issued by an enterprise CA. Single-purpose templates generate certificates that can 
be used by a single application, such as Smart Card Logon, S/MIME, or Encrypting File 
System (EFS). Multi-purpose templates generate certificates that can be used for a 
number of applications, such as SSL, S/MIME and EFS. Templates exist for issuing 
certificates to both computers and users. 


An enterprise CA uses domain authentication (access tokens) to identify users and 
computers. The CA impersonates the user to obtain the correct security context. This 
enables the policy module to establish the rights of the user to the requested template 
and the CA. Computers can be configured to automatically receive certificates using the 
Windows 2000 group policy service. 


Group policy is used to specify the number of templates that can be applied to the 
computer. On computer startup, the list of certificates located in the local machine “my 
certificate store” is compared to the templates applied by the group policy. If the 
computer does not have a certificate for each corresponding template, the computer will 
enroll for a certificate to an enterprise CA in the forest for that template. Auto-enrollment 
for computers allows the administrator to request, from a single point, certificates from 
enterprise CAs for all computers in a domain or Organizational Unit (OU). 


Setup automatic certificate requests for computers on a Domain Controller as follows: 


Q Edit the Default Domain Policy Group Policy Object. This can be done by right- 
clicking the domain node of the Active Directory Users and Computers snap-in 
and selecting Properties. 


OQ Expand Computer Configuration - Windows Settings — Security Settings — 
Automatic Certificate Request Settings. 


Q Right-click the Automatic Certificate Request Settings folder, point to New and 
select Automatic Certificate Request. 





Q This launches the Automatic Certificate Request Setup Wizard. Click Next. 
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Certificate Template Se 
The next time a computer logs on, a certificate based on the template you select is LS 
provided. 


A certificate template is a set of predefined properties for certificates issued to 
computers. Select a template from the following list. 


Certificate templates: 


Intended Purposes 

Client Authentication, Server Authenticatior 
Domain Controller Client Authentication, Server Authenticatior 
Enrollment Agent (Computer) Certificate Request Agent 
IPSEC 1.3.6.1.55.38.2.2 
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Figure 28 Selecting a Certificate Template 





Q Choose a certificate template from the list of templates. A certificate based on the 
selected template will be provided to a computer during the next logon. (See 
Figure 28) 


Q Select the CA on the domain to send the certificate request. Generally, there will 
only be one CA on the domain, but there could be more than one CA in an 
enterprise. CAs not running the enterprise policy module will not be displayed. 
Click Next 


Q Click Finish. The certificate request will take place when the Group Policy Object 
is refreshed on the client. 


Template Security 


Certificate template security permissions determine who in the enterprise can enroll for 
the type of certificate specified by the template. Administrators should go through the list 
of templates and remove domain users and authenticated users from the security 
permissions list of those templates the CA will not be permitted to issue. This way, if one 
or more of these templates are inadvertently made available to users, their request to 
enroll for the certificate will be denied. The only reason these templates should exist on 
the CA is if they will be needed in the future. Once again, make sure only those templates 
the CA is required to issue, according to the site’s security policy, are made available to 
the user (the steps for doing this were discussed earlier in this section). 


Default permissions on templates vary depending on the template. It is important to 
determine the purpose of the CA and select templates accordingly. Then, assign 
permissions to these templates. Permissions include: Full Control, Read, Write, and 
Enroll. End-users only require the permission to enroll for a certificate. Enterprise Admins 
do not require full control of templates. Their access varies based on the certificate type. 
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Default settings for Enterprise Admins are usually sufficient. Look over all access to the 
templates to be issued by the CA to ensure the permissions are in accordance with the 
site’s security policy. 


Security permissions for certificate templates are set through the Active Directory Sites 
and Services snap-in. Select Show Services Node in the View menu to see Services in the 
details pane. Expand Services — Public Key Services — Certificate Templates. Double-click 
each certificate template the CA will make available to users, select the Security tab and 
configure to the desired permissions. It is a good idea to remove all certificates that the 
CA is not required to make available to users. 
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An administrator can also delegate control over the templates’ container. Highlight the 
Certificate Templates container, right-click and select Delegate Control. The following 
window is displayed figure 29), allowing the administrator to delegate the management 
of the CA templates to a specified group, i.e., Enterprise Admins, for example. 
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ff AD Sites and Services 
— = Delegation of Control Wizard 
|| Console Window Help 











5 E Users or Groups 
| Action View | | alice | : Select one or more users or groups to whom you want to delegate control. 











isa Active Directory Sites and Services [ Selected users and groups: 
+ Sites Enterprise Admins (IISTEST \Enterprise Admins) 
}-(.) Services 
+ [a] MsmaServices 
+) NetServices 
=) Public Key Services 
ala 
EQ cop 
(5) ntserver 
(3) winzk 
4 Certificate Templates 
() Certification Authorities 
(5) Enrollment Services 
+) (5) RRAS 
+) Windows NT 


























Figure 29 Delegating Control of Templates 


NOTE: Although Certification Authorities and Enrollment 
Services are listed under Public Key Services, security 
permissions for these nodes MUST NOT be set using the 
Active Directory Sites and Services snap-in. These 
\ permissions need to be set using the Certification Authority 
“ snap-in discussed earlier. Changes made in Active Directory 
Sites and Services could result in problems for users when 
they try to access the CA. 


When an administrator chooses to delegate control over a container or object, he/she can 
limit the control granted. A list of options are displayed allowing the administrator to select 
whether the Selected users and groups will have full control of the container and all objects 
in it, or only specified objects (e.g., certificationAuthority objects) (See Figure 30). Once 
that determination is made, the administrator can select the type of access to delegate. 
Administrators should carefully think through what they want to delegate control over, to 
whom, and how much access is required to accomplish the task. Do not grant more 
permissions than necessary to accomplish the assigned task(s). 
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Delegation of Control Wizard 


Active Directory Object Type 
Indicate the scope of the task you want to delegate. 





Delegate control of: 
© This folder, existing objects in this folder, and creation of new objects in this folder 
Only the following objects in the folder: 


( aCSResourceLimits objects 

cettification4uthority objects 

(J Computer objects 

(J Connection objects 

(CJ Contact objects 

(J Group objects 

0 groupPolicyContainer objects 

[71 intellimitrarGraun ohiercts x 
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Figure 30 Delegating Control of Objects 





Certificate Revocation Lists (CRLs) 


A certificate can become invalid if the corresponding private key has been compromised, 
the certificate was issued fraudulently, or there is a change in the status of the certificate 
subject as a trusted entity. Invalid certificates need to be revoked and placed on a CRL to 
be published. If a certificate is deemed invalid, this process needs to take place as soon 
as possible so the information can be distributed to all entities that are configured to trust 
the validity of the revoked certificate. 


To revoke an issued certificate: 


Q Using the Certification Authority, select the Issued Certificates folder. A list of 
issued certificates is displayed in the right pane. 


Right-click the certificate to be revoked. 


Select All Tasks and click Revoke Certificate. 





Select the reason for the revocation from the drop-down list box of reason codes 
and click Yes. (See Figure 31) 
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fn 


28 Certification Authority 


| action view || <2 => m| fj &| 2 


Request ID Requester Name Binary Certificate Serial Number 





Certification Authority (Local) IISTEST\sheila BEGIN CERTI... 4ed445dc000.., 8/1/20 


6) TestEnterpriseSubCA 
( Revoked Certificates 
{Sy Issued Certificates 
(_] Failed Requests 
(9 Policy Settings Are you sure you want to revoke the selected certificate(s]? 














IWETar-Yo Inve M@X-vaiiirerslists) 
with the MMC 


‘You may specify a reason for this revocation. 


Reason code: 
Unspecified 
Unspecified 
Key Compromise 
CA, Compromise 
Change of Affiliation 
Superseded 
Cease of Operation 
Certificate Hold 





Figure 31 Selecting A Reason for Certificate Revocation 


If the reason code selected is “Certificate Hold”, the certificate can be unrevoked, left on 
“Certificate Hold” until it expires, or have the revocation reason code changed. This is the 
only reason code that allows an administrator to change the status of a revoked 
certificate. An administrator may choose to select this code if there is some question 
about the validity of the certificate. The certificate can remain in this state until the 
administrator can investigate and come to a decision regarding the certificate. 


= The certificate is marked as revoked and is moved to the Revoked Certificates folder. 
The revoked certificate will appear on the CRL the next time it is published. 


™ Force the publication of a CRL by right-clicking the Revoked Certificates folder, select 
All Tasks, and click Publish. A warning will be displayed notifying the administrator 
that the last published CRL is still valid. Click Yes to publish the new CRL anyway. 

To unrevoke a certificate, type the following command from a command prompt on the 

CA: certutil -revoke certificateserialnumber unrevoke. Double-clicking the revoked 

certificate and clicking the Details tab will display the certificateserialnumber. A list of 

parameters for the certutil command can be found in the Microsoft Help pages. 
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NOTE: It is important to note here that manually forcing the 
CRL to be published only makes the new CRL available to 
systems that do not have a cached copy of the previous CRL. 
Systems with a cached copy of the previous CRL will 

continue to use that CRL until it expires. Administrators 
should have a procedure in place to notify clients when a 
new CRL is published prior to the previous CRLs publication 
period expiration so they may retrieve the new copy. Also, 
manually publishing a CRL will not change the time when a 
CRL will be automatically published. For example, if a new 
CRL is published in the middle of a publication period, the 
CRL will still be republished at the end of the current publish 
period. 





To obtain information about the current CRL, right-click the Revoked Certificates folder 
and select Properties. Click View Current CRL. The General tab provides overall 
identification information for the CRL. The Revocation List tab displays the CRL contents. 


Every CA publishes an updated CRL at regular intervals, determined by the 
administrator. The default publish period is set to one week. This is based on the 
machine’s local time and the date the CA was installed. There is a difference in the 
publish period and the validity period of a CRL. The validity period is extended by 10% 
(up to 12 hours) of the publish period to allow for Active Directory replication. For 
example, if the CA sets the publish period to 24 hours, the CRL will be valid for 26.4 
hours. Also, 10 minutes is added to either side of the validity period to allow for variances 
in computer clock settings. 


Windows 2000 CAs issue certificates with CRL distribution points as part of its content. 
This provides a certificate verifier with information pertaining to the location of the current 
CRL. A CRL file is published in Systemroot\System32\Certsrv\Certenroll on 
the CA by default. Windows 2000 supports CRL publication to Active Directory. Clients 
can then obtain this information from Active Directory and cache it locally to use when 
verifying certificates. 
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Additional Security Issues 
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Antiviral Program 








There are numerous public sector sources for information on antiviral products. A 
suggested starting point is the International Computer Security Association at 
http://www.ncsa.com. This Web page contains a lot of generic information about viral 
solutions and hot links to the major vendors. 


Implement a robust anti-viral program as part of the security policy for your entire site. 


Audits 





The Certificate Services Log and Database is useful when auditing a CA. It can be used 
to review queued requests and issued certificates. An administrator can use the 
Certificate Services Log and Database when determining which certificates need to be 
placed on the CRL. For instance, an administrator may discover an intrusion occurred on 
the CA on a specific date and determine all certificates issued after that date cannot be 
trusted. A filter can be used to display information about certificates issued during a 
specified period of time. Those certificates can be placed on a CRL and new certificates 
can be issued. To display the Certificate Services Log and Database, perform the 
following steps: 


Q In the Certification Authority tool, beneath the CA name, right-click Issued 
Certificates. 





Q Select the fields to be viewed. Request ID must be selected. Other options are 
Serial Number, Certificate Effective Date, Certificate Expiration Date, and Issued 
Common Name. Click OK. 


Q Select Issued Certificates to display a list of issued certificates in the right pane. 


Q Right-click Issued Certificates and select View — Choose Columns to change the 
order of the displayed columns and add/remove columns. 





Q Right-click Issued Certificates and select View — filter, to display certificates 
based on the selected filter criteria. Figure 32 is an example of the data that can 
be set in the filter window. 
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New Restriction 24x! 





Operation: 


<= bd 


Value: 


[ 9/18/1999 x] 1:47 PM aaa 
coel_| 


Figure 32 Sample Data for Filtering Information 


Certificate Service Web Pages 
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Common tasks can be accomplished using Certificate Service Web pages. Internet 
Information Server (IIS) must be installed on the CA receiving requests from users 
through Web pages. Enterprise CAs require the requester to logon with a user ID. Once 
the user selects a certificate template, the CA searches the Active Directory for the 
requester’s account and generates a certificate based on the chosen template combined 
with information in the Active Directory. No more input is required from the user to issue a 
certificate. 


During certificate enrollment, credential checks are performed on users. As long as the 
requester is authorized to receive the specified certificate tyoe AND the CA is configured 
to issue the selected certificate type, the user will be issued the certificate immediately. 
Stand-alone CAs do not require the requester to logon, but issues a certificate based on 
the information submitted by the requester. By default, the CA will NOT immediately 
issue the certificate to the requester, but set the certificate to pending. An administrator 
must approve the request prior to making it available to the requester. This requires the 
requester to revisit the Web pages to retrieve the certificate once it has been approved. 
Following are examples of some typical screens a user might see when accessing 
Certificate Service Web pages. 
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¥ Microsoft Certificate Services - Microsoft Internet Explorer 


| File Edit View Favorites Tools Help 
| epak~ > - OE) a) Qsearch fe|Favorites CBristory | F\~ S ( ~ 7) 


| Address fé) http: //win2k/certsrv} | Go 








Microsoft Certificate Services -- TestEnterpriseSubCA Home 


Welcome 


You use this web site to request a certificate for your web browser, e-mail client, or other secure 
program. Once you acquire a certificate, you will be able to securely identify yourself to other people over 
the web, sign your e-mail messages, encrypt your e-mail messages, and more depending upon the type 
of certificate you request. 


Select a task: 
© Retrieve the CA certificate or certificate revocation list 


@ Request a certificate 
© Check on a pending certificate 


| 
\€] Done 3 | [ @ Localintranet 


Figure 33 Certificate Services Web Page 





3 Microsoft Certificate Services - Microsoft Internet Explorer 
| File Edit Yiew Favorites Tools Help 
| Back + > ~ @ [2 Gt | Dsearch (SlFavorites ¢4History | Ay & - S 


| Address 2) http: /win2kicertSrv/certrqus. asp 








Microsoft Certificate S - TestEnterpriseSubCA Home 
Choose Request Type 
Please select the type of request you would like to make: 


© User certificate request: 


@ Advanced request 





Figure 34 Selecting Request Type 
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If the CA you are requesting a certificate from implements the Stand-alone Policy 
module, a User Certificate -— Identifying Information page will be displayed. Fill in the 
necessary information and click Next. Enterprise CAs will retrieve the required 
information from Active Directory and will prompt you to submit your request. 


The options seen in Figure 35 and Figure 36 are available when Advanced request is 
selected. When connecting to an enterprise CA, a Certificate Template drop-down box 
is available that lists templates for certificates the CA is permitted create. All other fields 
on the form are optional, however, as stated previously, it is recommended you choose 
the Microsoft Enhanced CSP to enable support for large key sizes. The CA, based on the 
template chosen, provides the information for these optional fields. There are two 
exceptions where the requester is required to complete all of the fields, when selecting 
the WebServer or IPSec Offline templates. 


For standalone CAs, an Extended Key usage field is available in place of the template 
drop-down box. Choose the Extended Key usage that most closely fits the intended 
purpose of the certificate. All fields in the form are required to be filled in when requesting 
a certificate from a stand-alone CA. 


Microsoft Certificate Services -- TestEnterpriseSubCA 

Advanced Certificate Requests 

You can request a certificate for yourself, another user, or a computer using one of the following 
methods. Note that the policy of the certification authority (CA) will determine the certificates that you can 
obtain. 


@ Submit a certificate request to this CA using a form. 


© Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a 
base64 encoded PKCS #7 file. 


© Request a certificate for a smart card on behalf of another user using the Smart Card Enrollment 
Station. 
You must have an enrollment agent certificate to submit a request for another user. 


Next > | 





Figure 35 Advanced Certificate Request Options 


Following is a description of some of the options available on the Advanced Certificate 
Request form (refer to Table 3 to determine the appropriate settings for these fields): 


e CSP: Change the default Cryptographic Service Provider (CSP) to the Microsoft 
Enhanced Cryptographic Provider v1.0 or the CSP that supports an implemented 
special hardware device (such as a smart card). 


e Key Size: The key size will @pend on your configuration. Choose the largest key 
size that is compatible with your configuration. Keep in mind, key sizes above 2048 
take longer to generate and may not be compatible with older applications. 


e Key Usage: Determines how the certificate will be used, i.e., for encryption, signing, 
or both. 


e Hash Algorithm: The default setting is appropriate for most applications. Unless it is 
a requirement to change it, leave the default setting. 
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e Use local machine store. Choosing this option will place the keys and the certificate 
in a local machine store, making them available to system processes. Select this 
option if an IPSec certificate is requested. 


Microsoft Certificate Services -- TestEnterpriseSubCA Home 


Advanced Certificate Request 


Certificate Template: 
[User x] 


Key Options: 
CSP: | Microsoft Enhanced Cryptographic Provider v1.0 ad 
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Key Usage: © Exchange © Signature © Both 
Key Size: [2048 Min: 28 


@ Create new key set 
T Set the container name 
© Use existing key set 





M Enable strong private key protection 
I~ Mark keys as exportable 


I~ Use local machine store 
You must be an administrator to generate 
@ key in the local machine store. 


Additional Options: 


Hash Algorithm: [SHAT >| 


Only used to sign request. 


I~ Save request to a PKCS #10 file 


Attributes: Ps 
> 


Figure 36 Example of Advanced Certificate Request Form 





Securing Certificate Service Web Pages 


Web pages on enterprise CAs must be kept secure since certificate requesters must be 
authenticated to the page so that it can determine the correct information to put into the 
requested certificate. If authentication is not set for the Web pages, a certificate will not 
be generated or, if a certificate is generated, it will be useless. Before following the 
procedures to verify the Web pages are secure, make sure you can connect to the 
Certificate Services Web pages. If an error occurs, check to se that the pages were 
installed. Also, if IIS was installed after Certificate Services, the Web pages were not 
installed. If the CertSrv virtual directory does not exist, run certutil —vroot from the 
command prompt to create it. If you have to reinstall Certificate Services, make sure use 
existing keys is selected and select the appropriate CA name from the list. 


Q Inthe ISM, expand the Default Web site and locate the CertSrv virtual directory 


Right-click CertSrv and select Properties 





Q 
Q Select the Directory Security tab 
QO 


Click Edit under the Anonymous access and authentication control 
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Q Make sure Integrated Windows authentication is the ONLY option selected and 
click OK, and close all dialog boxes. 


[5x] 


Internet Information Services t (scripts c:\inetpub\scripts 
| 5-9 * ntserver - dad c:\winnt\help\iishelp 

9) Default FTP Site IISAdmin CAAWINNT\System32\inetsrv\iisadmin 
te 4 Default Web Site. i @ussamples c:\inetpub\jissamples 
+ ® Administration Web Site : save c:\program Files\common files\system\msadc 
& Default SMTP Virtual Server — @e _bin C:\Program Files\Common Files\Microsoft Shared\wWeb 
fey Default NNTP Virtual Server |@4@bcertsr CWINNTiSystem32\CertSry 








‘3 al Moule mestreeal : ANAM TRIBITS Cr rek orn 2h Kael : v\CertControl 


Pprv\CertEnroll 




















Figure 37 Securing Certificate Service Web Pages 
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Backups 


Backup Procedures 








It is very important to include a disaster recovery policy in your site’s security plan. There 
are several ways to backup the data on your server. Automatic backups, such as disk 
mirroring or disk duplexing, where there is a complete copy of the server’s hard drive that 
can go online in the event the primary drive goes down, and manual backups. It is 
recommended not to rely on disk mirroring or duplexing exclusively. This strategy only 
protects against a single drive failure. In the event of a multiple disk failure, you must 
have other backups to recover. Here are some things to consider when implementing 
your backup strategy: 


= How often does the server content change? 
™ How long can your site go without providing services to clients? 


=™ Members of the Backup Operators group should have special logon accounts when 
performing backups. Backup privileges should not be assigned to regular user 
accounts. 


™ Consider keeping a set of backups offsite in the event of a natural disaster. 


™ Make a set of backups before and after any maintenance to the server providing 
certificate services. This includes any software or hardware changes to the system. 


= It is very important that you make and TEST your backups regularly. Remember to 
include a strategy for backing up the Registry in your backup plan. 


= ~=Make sure that NTFS permissions are intact when a restore is done from a backup. 


Backing Up Certificate Services 


CAs are critical elements within a PKI. The loss of a CA due to hardware or storage 
media failure could result in the inability to preserve an audit trail of issued certificates 
and certificate requests. The ability to revoke issued and previously unrevoked 
certificates may also be lost. Therefore, regular backups must be performed on all CAs to 
ensure quick recovery in the event of a failure, preserving the stability of the PKI. The 
preferred method for backing up Certificate Services is to backup the entire server. 
However, it is possible to backup and restore a CA using the Certification Authority snap- 
in. This tool can be used to selectively backup keys, certificates, and the database (log of 
issued certificates and the queue of pending requests). 


Q Create a backup directory and set permissions to only allow the system and 
administrator's group access. At least one set of backups should be located in a 
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directory on a remote machine not within the site to prevent the loss of backup 
data in the event of a natural disaster or some other type of catastrophe. If there 
is not a machine to backup to, store the backup on recordable media and send to 
an offsite storage location. 


Q Inthe Certification Authority tool, right click the CA to backup, select All Tasks, 
Backup CA 


A Certification Backup Wizard opens. Click Next 





Select the items to include in the backup and enter a previously created backup 
directory. Generally, you will want to select the Private key and CA certificate, 
and the Issued certificate log and pending certificate request queue options. Click 
Next. (See Figure 38) 


Q A window will display asking for a password. This password is required to protect 
the backup file. This password is requested when restoring the CA certificate. 
Click Next. (See Figure 39). 





Q The next window lists the options you chose to backup. Click Finish and the 
backup will take place. (See Figure 40). 


{ Certification Authority 





| Action View lle >| Glm|\ ge 2) | 2 I! » | K z 








2 Certification Auth ReubiueC ASUS aoe em reel) 
= fA TestEnterpris 
(5) Revoked 
(3) Issued Ce 
(BBR) Pech a 
(| Failed Re 
= Policy Set Select the items you wish to back up: 
IV Private key and CA cettificate 


El Configuration Information 





Items to Back Up 
‘You can back up individual components of the certification authority data. 


IV Issued certificate log and pending cettificate request queue 
T Perform incremental backup 


Back up to this location: 


JescaB ackupl Browse... | 


Note: The back up directory must be empty. 
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Figure 38 Selecting Items to Back-up 
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Certification Authority Backup Wizard 


Select a Password SS 
For encryption and decryption of messages, both a public key and a private key SY 
are required. ‘ou must supply a password for the private key. 





This password is required to gain access to the private key and the CA certificate file. 


Password: 


et ——__—__—— 


Contitm password: 





To maintain private key security, do not share your password. 





Figure 39 Selecting a Password for CA Backup 


Certification Authority Backup Wizard 


Completing the Certification 
Authority Backup Wizard 


‘You have successfully completed the Certification Authority 
Backup wizard. 


You have selected the following settings: 


Private Key and CA Certificate 
Issued Log and Pending Requests 


a» 


To close this wizard and begin backup, click Finish. 
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Figure 40 Completion of CA Backup Wizard 
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Restoring Certificate Services 


The following procedures describe how to restore a backed up certificate service. 


Q) 
Q) 
Q) 





If Certificate Service is running, you are prompted to stop it. Click OK 
The Certification Authority Restore Wizard opens. Click Next 


Select the items you wish to restore (the options are the same as for backing up) 
and the name of the backup directory where the backup file is located. Click Next 


You are prompted for the password to access the private key and the CA 
certificate file. Enter the password you used when backing up the CA. Click Next 


A window listing the items to be restored is displayed. Click Finish. You are 
asked if you want to restart Certificate Services. If incremental backups still need 
to be restored, or if the IIS metabase needs to be restored, select no. Otherwise, 
select Yes. 


NOTE: If a damaged or missing IIS metabase is not restored, 
IIS will not start and, therefore, neither will Certificate 
| Services. 


LT 
If the database logs are present at the time of the restore, the CA will be restored to the point in time 
of the restore. This means that the database logs will be used to apply changes to the database since 
the last backup. If the database logs are deleted before the restore, the CA will be restored to the 
point in time of the last backup. 
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Further Information (Reference Resources) 


Windows 2000 Security, Little Black Book by lan McLean, www.coriolis.com 


Microsoft's Certificate Services Help pages 


www.microsoft.com/windows2000/library/howitworks - The security section of this page 
provides technical papers on PKI and Certificate Services. 


Revisions: 


2.0 — Updated some screen images to reflect a different key length option because some 
hardware devices do not support very long key lengths. Modified recommendation on when to reuse 
existing keys when renewing a CA. 


2.0.1 — Changed e-mail address and removed phone number from cover page 
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